[Yum] Re: Usernames, Passwords and yum

Brian bwaichu at yahoo.com
Wed Jun 9 22:24:46 UTC 2004 

My biggest concern over having company specific repos
is that you set up a box with a open port that updates
all your other boxes.  And you have no encryption
through YUM.  If the FTP server is misconfigured in
anyway, you have a serious security problem.   

If the YUM box is at all accessible outside of the
company, then anyone can possibly modify your RPMs. 
When you go and update, all your boxes now have the
modified RPMs installed, which can create a company
wide security problem. 

My biggest security fear now is a distributed denial
of service via "spyware".  Imagine if someone were to
modify the spyware distributed on Yahoo! to do an
immediate denial of service attack on a target.  If
you can imagine the large number of folks that hit
Yahoo! every hour, that would bring down the target
quickly.  If the spyware was created with a good
polymorphing ability, then you couldn't locate it
through pattern searching.  

Brian


> I'm gonna jump in here - and I might be way off
> target (missed beginning 
> of thread) but I can see a need for
> username/password authentication 
> with yum ...
> 
> example case ...
> 
> A company ships a linux distribution and wants to
> make updates available 
> (through yum) only to those users who have paid for
> ongoing support. The 
> yum server has a list of all 'valid' users. The yum
> client on the user's 
> machine authenticates against the yum server with
> their username and 
> password. If the username/password combo doesn't
> match an entry in the 
> list on the yum server - updates are denied,
> otherwise updates pass.
> 
> This may already be possible, either through yum
> itself, or with http 
> authentication, or whatever. I dunno - but if not -
> I think it would be 
> a nice feature for yum to have. And in order to run
> yum update in a cron 
> job - the authentication would need to be done
> without prompting user 
> for password ...
> 
> Feel free to discuss or abuse ...
> 
> pantz
> 
> -- 
> Before you criticize someone, walk a mile in their
> shoes ...
> That way when you do criticize them, you're a mile
> away and you have their shoes!
> 
> _______________________________________________
> Yum mailing list
> Yum at lists.dulug.duke.edu
> https://lists.dulug.duke.edu/mailman/listinfo/yum



	
		
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/

More information about the Yum mailing list